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15 NOV 1982 


- MEMORANDUM FOR: Chairman, DCI Security Committee 
25X1  eROM: F i 
CIA Member, DCI Security Committee 


- SUBJECT: National Policy on Damage Assessments (U) 


1. In response to your tasking, the Unauthorized 
Disclosures Investigations Subcommittee (UDIS) has subnitted to 
- me their report, "Points for Consideration Relative to a National 
Policy on Damage Assessments." The report was unanimously agreed 
to by all of the UDIS members who attended the 8 October 1982 
UDIS meeting (Air Force, Army, CIA, DIA, Energy, FBI, SAFSS, 
Treasury and Navy). (U) : ar 


2. -The report points out that a national policy on damage 
assessments is articulated in Information Security Oversight 
Office (1S00) Directive No. 1 (32 CFR Part 2001), and flows trom 
authority granted to the Director of the 1800 in Section 5.2 of 
Executive Order 12356 (April 6, 1982). The Directive requires 

_that agencies under whose cognizance a loss or possible com- 
promise occurs shall initiate an inquiry to (a) determine the 
cause, (b) place responsibility, and (c) take corrective measures 
and appropriate administrative, disciplinary or legal action. (U) 


3. There was near unanimity among UDIS members that a full- 
blown damage assessment would not be appropriate in every case 
and that inflexible requirements would be counterproductive. If, 
for example, a safe were left open in a controlled facility and 
discovered by a security guard soon thereafter, a determination 
that no materials were missing, and a change of the safe com- 
bination should suffice. Despite this general agreement that 
discretion must be built into the systen, there was a division of 
opinion as to whether there should be national level guidance. 
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It. was suggested that when specialized intelligence equipment or 
classified military equipment is lost, a human source or a tech- 
nical collection system is jeopardized, a diplomatic pouch 
containing classified information is lost, a secure facility is 

_ penetrated, or espionage occurs, a full damage assessment should 
be required unless the Agency head or designee expressly deter- 
mines that this is not necessary. (This also represents my own 
position.) (U) : 


4. Concern was expressed that improved quality control in 
damage assessments needs to be achieved. At the same time, there 
was a clear congensus that agencies should not lose control of 
the damage assessment process. Each agency should conduct its 

own damage assessment and should be free to structure an investi- 
gative framework in accordance with its own realities. Over 
time, the substantive and technical expertise, along with the 

security, counterintelligence and audit perspectives represented 
by participants in damage assessment groups or teams could create 
or improve upon institutional memory and level of experience in . 
examining compromises. (U) Ae ae | 


5. It was suggested that there is little feedback on 
lessons learned, but it was also recognized that there is a- 
natural concern about airing one's "dirty linen" in public, and 
justifiable concerns about security, particularly where compart~ 
mented or "bigoted" programs are involved. It is felt that a 
logical military hardware or weapons system grouping exists, 
and within the Intelligence Community, a distinct SCI Community 
grouping. Information might be shared within these groups. 
There has been such sharing at program manager level in the past, 
“but none has been nationally mandated. The Air Force does 
publish a newsletter (three to four times per year) that 
synopsizes cases involving unauthorized disclosures of SCI. 

It was suggested that the Air Force newsletter might serve as a 

model for others, and that the SECOM might publish such a news- 

letter for the Intelligence Community. Similarly, the ISOO could 

publish such a newsletter relating to unauthorized disclosures of 

collateral classified information. The newly revised DCID 1/19 

does already provide for sharing with the SECOM and the DCI sun- 
maries of investigations and related actions in cases involving 
significant compromises. (U) 


6. The report suggests the need for an “unauthorized 
disclosure" database, similar to that established by the 
Department of Justice and the Federal Bureau of Investigation. 
There was concem expressed that the information in such a 
database would be extremely sensitive, but it was suggested that 
a system might be designed, similar to the 4C System, which would 
adequately protect the information. While not so stated in the 
report, it is suggested that such a Government-wide unauthorized 
disclosure database, as a service of common concern for the 


Dea LE MBG VER FOP RE ge 2 Pah ac ik oie d BE Fes aRBGosoAEODIe-2°* ERE 


Director of Centra igence 


